Two-factor authentication

In the last edition of this newsletter, I attempted to make the point that using the same password on more than one site is a recipe for disaster. If you followed my advice and installed 1Password (or another password manager) and have begun creating a unique password for each of your accounts, you’ve taken a great step forward in your online security. 👏

Unfortunately, the bad actors are still one step ahead of you. Let’s say one day you receive an email from your bank. It alerts you that you have a low balance. You click on the link provided in the email and your browser opens up your bank website. You type in your username and password, but it doesn’t seem to work. You try again and it works as expected. Your balance looks fine, so you sign out.

The next day you visit the ATM machine, but it says you don’t have any funds in your account! What just happened? 🤯

The email you received wasn’t from your bank! The link you clicked on took you to a website that looked exactly like your bank’s website, but it wasn’t. Therefore, when you tried to sign into this fraudulent site, you handed your username and password over to the bad guys who used them to empty your account while you slept.

This is called a phishing attack because you were baited into handing over your credentials. 🎣

A couple lessons here:

Rather than clicking on links in emails, it’s better to visit the purported website directly (that applies to this email as well!).

If you’re using the 1Password browser plugin to fill in usernames and passwords, it will refuse to enter them on illegitimate websites like the ones provided by phishers, so you might not have fallen for this trick!

To reliably protect yourself against these types of attacks, you should use two-factor authentication (2FA) whenever possible. With two-factor authentication, in addition to providing your username and password when signing into a site, you’ll also need to provide a code.

There are a number of mechanisms for two-factor authentication (hardware tokens, software tokens) and less secure two-step authentication (SMS, phone calls), but it’ll depend on what each site offers.

A comprehensive list of sites and their two-factor/step offerings can be found at https://twofactorauth.org Simply search for your email provider, bank or favorite social media platform and it will present you with details on their offering as well as a link to documentation on setting it up.

I strongly recommend using 2FA on every account possible. It’s also best to create a backup mechanism, just in case you lose access to one of them (for example, you lose your phone). Many sites allow you to print out a list of backup codes, just be sure to store them in a safe place.